From 5b2d3b09d093863e93ff331c75d4122a1b068b62 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 17 Dec 2020 08:05:16 +0100
Subject: [PATCH 01/10] Create system users for vmail (dovecot) and evoadmin

---
 CHANGELOG.md                        | 1 +
 dovecot/tasks/main.yml              | 2 ++
 webapps/evoadmin-web/tasks/user.yml | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4eefc696..30bd12d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* Create system users for vmail (dovecot) and evoadmin
 * apt: disable APT Periodic
 * evoacme: upstream release 20.12
 * evocheck: upstream release 20.12
diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 8508a902..1a7e4280 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -41,6 +41,7 @@
   group:
     name: vmail
     gid: "{{ dovecot_vmail_gid }}"
+    system: True
   tags:
   - dovecot
 
@@ -50,6 +51,7 @@
     group: vmail
     uid: "{{ dovecot_vmail_uid }}"
     shell: /bin/false
+    system: True
   tags:
   - dovecot
 
diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml
index 5aa6c29c..7b58270c 100644
--- a/webapps/evoadmin-web/tasks/user.yml
+++ b/webapps/evoadmin-web/tasks/user.yml
@@ -6,6 +6,7 @@
     comment: "Evoadmin Web Account"
     home: "{{ evoadmin_home_dir }}"
     password: "!"
+    system: yes
 
 - name: Create www-evoadmin group
   group:
@@ -22,6 +23,7 @@
 - name: "Create www-evoadmin (Debian 9 or later)"
   user:
     name: www-evoadmin
+    system: yes
   when: ansible_distribution_major_version is version('9', '>=')
 
 - name: Is /etc/aliases present?

From 0b528f15da85a9d07c24cfff74078bc254949351 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 17 Dec 2020 08:06:44 +0100
Subject: [PATCH 02/10] tomcat-instance: fail if uid already exists

---
 CHANGELOG.md                   |  1 +
 tomcat-instance/tasks/user.yml | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 30bd12d0..076ef587 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 * apt: disable APT Periodic
 * evoacme: upstream release 20.12
 * evocheck: upstream release 20.12
+* tomcat-instance: fail if uid already exists
 
 ### Fixed
 
diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml
index a4a7bcb2..64244799 100644
--- a/tomcat-instance/tasks/user.yml
+++ b/tomcat-instance/tasks/user.yml
@@ -1,4 +1,24 @@
 ---
+
+- fail:
+    msg: "You must provide a value for the 'tomcat_instance_port' variable."
+  when: tomcat_instance_port is not defined or tomcat_instance_port == ''
+
+
+- name: "Test if uid '{{ tomcat_instance_port }}' exists"
+  command: 'id -un -- "{{ tomcat_instance_port }}"'
+  register: get_login_from_id
+  failed_when: False
+  changed_when: False
+  check_mode: no
+
+- name: "Fail if uid already exists for another user"
+  fail:
+    msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'"
+  when:
+    - get_login_from_id.rc == 0
+    - get_login_from_id.stdout != tomcat_instance_name
+
 - name: Create group instance
   group:
     name: "{{ tomcat_instance_name }}"

From 81fbd98a5f37a02afdc9ca0e0f91a543a9605360 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 17 Dec 2020 15:25:48 +0100
Subject: [PATCH 03/10] evolinux-users: improve uid/login checks

---
 CHANGELOG.md                  |  1 +
 evolinux-users/tasks/user.yml | 44 ++++++++++++++++++++++++++---------
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 076ef587..ec95a820 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 * apt: disable APT Periodic
 * evoacme: upstream release 20.12
 * evocheck: upstream release 20.12
+* evolinux-users: improve uid/login checks
 * tomcat-instance: fail if uid already exists
 
 ### Fixed
diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml
index 2f5e4e43..b8dda1d2 100644
--- a/evolinux-users/tasks/user.yml
+++ b/evolinux-users/tasks/user.yml
@@ -2,20 +2,41 @@
 
 # Unix account
 
+- fail:
+    msg: "You must provide a value for the 'user.name ' variable."
+  when: user.name  is not defined or user.name  == ''
+
+- fail:
+    msg: "You must provide a value for the 'user.uid ' variable."
+  when: user.uid  is not defined or user.uid  == ''
+
 - name: "Test if '{{ user.name }}' exists"
-  command: 'getent passwd {{ user.name }}'
-  register: loginisbusy
+  command: 'id -u "{{ user.name }}"'
+  register: get_id_from_login
   failed_when: False
   changed_when: False
   check_mode: no
 
-- name: "Test if uid exists for '{{ user.name }}'"
-  command: 'getent passwd {{ user.uid }}'
-  register: uidisbusy
+- name: "Test if uid '{{ user.uid }}' exists"
+  command: 'id -un -- "{{ user.uid }}"'
+  register: get_login_from_id
   failed_when: False
   changed_when: False
   check_mode: no
 
+# Error if
+# the uid already exists
+# and the user associated with this uid is not the desired user
+- name: "Fail if uid already exists for another user"
+  fail:
+    msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
+  when:
+    - get_login_from_id.rc == 0
+    - get_login_from_id.stdout != user.name
+
+# Create/Update the user account with defined uid if
+# the user doesn't already exist and the uid isn't already used
+# or the user exists with the defined uid
 - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
   user:
     state: present
@@ -24,11 +45,13 @@
     comment: '{{ user.fullname }}'
     shell: /bin/bash
     password: '{{ user.password_hash }}'
-    update_password: on_create
+    update_password: "on_create"
   when:
-    - loginisbusy.rc != 0
-    - uidisbusy.rc   != 0
+    - (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)
 
+# Create/Update the user account without defined uid if
+# the user doesn't already exist but the defined uid is already used
+# or another user already exists with a the same uid
 - name: "Unix account for '{{ user.name }}' is present (with random uid)"
   user:
     state: present
@@ -36,10 +59,9 @@
     comment: '{{ user.fullname }}'
     shell: /bin/bash
     password: '{{ user.password_hash }}'
-    update_password: on_create
+    update_password: "on_create"
   when:
-    - loginisbusy.rc != 0
-    - uidisbusy.rc   == 0
+    - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)
 
 - name: Is /etc/aliases present?
   stat:

From 8861169a04206c29729d50f9c85b9bd8e81b0b6c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 20 Dec 2020 22:55:39 +0100
Subject: [PATCH 04/10] varnish: config file name is configurable

---
 CHANGELOG.md                       | 1 +
 varnish/files/reload-vcl.sh        | 5 -----
 varnish/tasks/main.yml             | 6 +++---
 varnish/templates/reload-vcl.sh.j2 | 5 +++++
 4 files changed, 9 insertions(+), 8 deletions(-)
 delete mode 100644 varnish/files/reload-vcl.sh
 create mode 100644 varnish/templates/reload-vcl.sh.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ec95a820..79fa9859 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release.
 * redis: variable to force use of port 6379 in instances mode
 * redis: check maxmemory in NRPE check
 * lxc-php: Allow php containers to contact local MySQL with localhost
+* varnish: config file name is configurable
 
 ### Changed
 
diff --git a/varnish/files/reload-vcl.sh b/varnish/files/reload-vcl.sh
deleted file mode 100644
index 537dcddf..00000000
--- a/varnish/files/reload-vcl.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-UUID=`cat /proc/sys/kernel/random/uuid`
-/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \
- &&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \
- && /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID"
diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index c55218ef..1bf61fde 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -19,8 +19,8 @@
   - varnish
 
 - name: Copy Custom Varnish ExecReload script (Debian <=9)
-  copy:
-    src: "reload-vcl.sh"
+  template:
+    src: "reload-vcl.sh.j2"
     dest: "/etc/varnish/reload-vcl.sh"
     mode: "0700"
     owner: root
@@ -62,7 +62,7 @@
 - name: Copy Varnish configuration
   template:
     src: "{{ item }}"
-    dest: /etc/varnish/default.vcl
+    dest: "{{ varnish_config_file }}"
     mode: "0644"
     force: yes
   with_first_found:
diff --git a/varnish/templates/reload-vcl.sh.j2 b/varnish/templates/reload-vcl.sh.j2
new file mode 100644
index 00000000..e60d8257
--- /dev/null
+++ b/varnish/templates/reload-vcl.sh.j2
@@ -0,0 +1,5 @@
+#!/bin/sh
+UUID=`cat /proc/sys/kernel/random/uuid`
+/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \
+  && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \
+  && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID"

From 3e72d6961c630a4e99c8e3d4225a33bf0c8e9ce7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 20 Dec 2020 22:56:15 +0100
Subject: [PATCH 05/10] varnish: no threadpool delay by default

---
 CHANGELOG.md              | 2 ++
 varnish/defaults/main.yml | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79fa9859..e4ecf202 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,8 @@ The **patch** part changes incrementally at each release.
 * evocheck: upstream release 20.12
 * evolinux-users: improve uid/login checks
 * tomcat-instance: fail if uid already exists
+* varnish: change template name for better readability
+* varnish: no threadpool delay by default
 
 ### Fixed
 
diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml
index 544d0cf7..7a7d8c2f 100644
--- a/varnish/defaults/main.yml
+++ b/varnish/defaults/main.yml
@@ -10,7 +10,7 @@ varnish_malloc_size: "2G"
 varnish_storage: malloc,{{ varnish_malloc_size }}
 
 varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
-varnish_thread_pool_add_delay: 2
+varnish_thread_pool_add_delay: 0
 varnish_thread_pool_min: 500
 varnish_thread_pool_max: 5000
 

From d430dea043d61c8939774d81f19fa732519a19d0 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 20 Dec 2020 23:00:50 +0100
Subject: [PATCH 06/10] whitespaces

---
 varnish/tasks/main.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index 1bf61fde..9624d832 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -4,19 +4,19 @@
     name: varnish
     state: present
   tags:
-  - varnish
+    - varnish
 
 - name: Remove default varnish configuration files
   file:
     path: "{{ item }}"
     state: absent
   with_items:
-    -  /etc/default/varnish
-    -  /etc/default/varnishncsa
-    -  /etc/default/varnishlog
+    - /etc/default/varnish
+    - /etc/default/varnishncsa
+    - /etc/default/varnishlog
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Copy Custom Varnish ExecReload script (Debian <=9)
   template:
@@ -28,14 +28,14 @@
   when: ansible_distribution_major_version is version('9', '<=')
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Create a system config directory for systemd overrides
   file:
     path: /etc/systemd/system/varnish.service.d
     state: directory
   tags:
-  - varnish
+    - varnish
 
 - name: Override Varnish systemd unit
   template:
@@ -46,7 +46,7 @@
     - reload systemd
     - restart varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Patch logrotate conf
   replace:
@@ -57,7 +57,7 @@
     - varnishlog
     - varnishncsa
   tags:
-  - varnish
+    - varnish
 
 - name: Copy Varnish configuration
   template:
@@ -72,7 +72,7 @@
   - "default.vcl.j2"
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Create Varnish config dir
   file:
@@ -80,7 +80,7 @@
     state: directory
     mode: "0755"
   tags:
-  - varnish
+    - varnish
 
 - name: Copy included Varnish config
   template:
@@ -92,6 +92,6 @@
   - "templates/varnish/conf.d/*.vcl"
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - include: munin.yml

From 0f5ce44186420bae38b88f3859e929e765affb46 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 20 Dec 2020 23:01:46 +0100
Subject: [PATCH 07/10] varnish: change template name for better readability

---
 varnish/tasks/main.yml                               | 12 ++++++++----
 varnish/templates/{default.vcl.j2 => varnish.vcl.j2} |  0
 2 files changed, 8 insertions(+), 4 deletions(-)
 rename varnish/templates/{default.vcl.j2 => varnish.vcl.j2} (100%)

diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index 9624d832..38066298 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -66,10 +66,14 @@
     mode: "0644"
     force: yes
   with_first_found:
-  - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
-  - "templates/varnish/default.{{ host_group }}.vcl.j2"
-  - "templates/varnish/default.default.vcl.j2"
-  - "default.vcl.j2"
+    - "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2"
+    - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
+    - "templates/varnish/varnish.{{ host_group }}.vcl.j2"
+    - "templates/varnish/default.{{ host_group }}.vcl.j2"
+    - "templates/varnish/varnish.default.vcl.j2"
+    - "templates/varnish/default.default.vcl.j2"
+    - "varnish.vcl.j2"
+    - "default.vcl.j2"
   notify: reload varnish
   tags:
     - varnish
diff --git a/varnish/templates/default.vcl.j2 b/varnish/templates/varnish.vcl.j2
similarity index 100%
rename from varnish/templates/default.vcl.j2
rename to varnish/templates/varnish.vcl.j2

From 67ce8de85e0215b557ffbb051ede1b9df5168896 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 20 Dec 2020 23:25:34 +0100
Subject: [PATCH 08/10] varnish: custom reload script is now useless

---
 CHANGELOG.md                             |  1 +
 varnish/tasks/main.yml                   | 21 +++++++++++++++++----
 varnish/templates/varnish.conf.buster.j2 |  5 +++++
 varnish/templates/varnish.conf.j2        |  7 -------
 varnish/templates/varnish.conf.jessie.j2 |  7 +++++++
 5 files changed, 30 insertions(+), 11 deletions(-)
 create mode 100644 varnish/templates/varnish.conf.buster.j2
 delete mode 100644 varnish/templates/varnish.conf.j2
 create mode 100644 varnish/templates/varnish.conf.jessie.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4ecf202..463d3a83 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ The **patch** part changes incrementally at each release.
 * tomcat-instance: fail if uid already exists
 * varnish: change template name for better readability
 * varnish: no threadpool delay by default
+* varnish: no custom reload script for Debian 10 and later 
 
 ### Fixed
 
diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index 38066298..7274cba8 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -18,14 +18,14 @@
   tags:
     - varnish
 
-- name: Copy Custom Varnish ExecReload script (Debian <=9)
+- name: Copy Custom Varnish ExecReload script (Debian <10)
   template:
     src: "reload-vcl.sh.j2"
     dest: "/etc/varnish/reload-vcl.sh"
     mode: "0700"
     owner: root
     group: root
-  when: ansible_distribution_major_version is version('9', '<=')
+  when: ansible_distribution_major_version is version('10', '<')
   notify: reload varnish
   tags:
     - varnish
@@ -37,11 +37,24 @@
   tags:
     - varnish
 
-- name: Override Varnish systemd unit
+- name: Override Varnish systemd unit (Stretch and before)
   template:
-    src: varnish.conf.j2
+    src: varnish.conf.jessie.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+  when: ansible_distribution_major_version is version('10', '<')
+  notify:
+    - reload systemd
+    - restart varnish
+  tags:
+    - varnish
+
+- name: Override Varnish systemd unit (Buster and later)
+  template:
+    src: varnish.conf.buster.j2
+    dest: /etc/systemd/system/varnish.service.d/evolinux.conf
+    force: yes
+  when: ansible_distribution_major_version is version('10', '>=')
   notify:
     - reload systemd
     - restart varnish
diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2
new file mode 100644
index 00000000..09dcf7c4
--- /dev/null
+++ b/varnish/templates/varnish.conf.buster.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2
deleted file mode 100644
index 3020d556..00000000
--- a/varnish/templates/varnish.conf.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-# {{ ansible_managed }}
-
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
-ExecReload=
-ExecReload=/etc/varnish/reload-vcl.sh
diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2
new file mode 100644
index 00000000..59651b36
--- /dev/null
+++ b/varnish/templates/varnish.conf.jessie.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecReload=
+ExecReload=/etc/varnish/reload-vcl.sh

From 1922b51fbe793ad894c3af0e629a006eea06f5b9 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 21 Dec 2020 16:03:49 +0100
Subject: [PATCH 09/10] Release 10.3.0

---
 CHANGELOG.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 463d3a83..c391df9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,18 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+### Changed
+
+### Fixed
+
+### Removed
+
+### Security
+
+## [10.3.0] 2020-12-21
+
+### Added
+
 * dovecot: Update munin plugin & configure it
 * dovecot: vmail uid/gid are configurable
 * evoacme: variable to disable Debian version check (default: False)
@@ -41,10 +53,6 @@ The **patch** part changes incrementally at each release.
 
 * cerbot: parse HAProxy config file only if HAProxy is found
 
-### Removed
-
-### Security
-
 ## [10.2.0] 2020-09-17
 
 ### Added

From 66a6e67de2b5a48d223436ec39f662a1e7f774e3 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 21 Dec 2020 23:33:14 +0100
Subject: [PATCH 10/10] varnish: variable for jail configuration

---
 CHANGELOG.md                             | 2 ++
 varnish/defaults/main.yml                | 1 +
 varnish/templates/varnish.conf.buster.j2 | 2 +-
 varnish/templates/varnish.conf.jessie.j2 | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c391df9a..6c7a40bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* varnish: variable for jail configuration
+
 ### Changed
 
 ### Fixed
diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml
index 7a7d8c2f..fd22bfe2 100644
--- a/varnish/defaults/main.yml
+++ b/varnish/defaults/main.yml
@@ -13,6 +13,7 @@ varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
 varnish_thread_pool_add_delay: 0
 varnish_thread_pool_min: 500
 varnish_thread_pool_max: 5000
+varnish_jail: "unix,user=vcache"
 
 varnish_config_file: /etc/varnish/default.vcl
 varnish_secret_file: /etc/varnish/secret
diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2
index 09dcf7c4..63439b61 100644
--- a/varnish/templates/varnish.conf.buster.j2
+++ b/varnish/templates/varnish.conf.buster.j2
@@ -2,4 +2,4 @@
 
 [Service]
 ExecStart=
-ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2
index 59651b36..f340323d 100644
--- a/varnish/templates/varnish.conf.jessie.j2
+++ b/varnish/templates/varnish.conf.jessie.j2
@@ -2,6 +2,6 @@
 
 [Service]
 ExecStart=
-ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
 ExecReload=
 ExecReload=/etc/varnish/reload-vcl.sh